People use the same stupid passwords because they can't remember smart ones. But what if it wasn't words but images? British researchers have shown it works - and it's hard to hack.

In a paper published on PeerJ, British researchers Rob Jenkins, Jane L. McLachlan and Karen Renaud tested a knowledge-based authentication method that tests what you know, not what you remember. Based on our powerful recognition capabilities, the method tests whether we find a face familiar or not.

Using images for security is not a new idea; the Passface system was tested back in 2000. But Passface is susceptible to "over the shoulder" attacks since what's memorable to you is also memorable to observers.

Facelock's difference is that the system offers security based on our innate ability to clearly differentiate between familiar and unfamiliar faces:

When a face is familiar to the viewer, it can be identified from a wide range of different photographs, even when image quality is very poor. Importantly for this study, different images of a familiar face are almost never mistaken for different people. In contrast, our ability to identify unfamiliar faces from photographs is strikingly poor. Very often, different photos of an unfamiliar face are seen as different individuals. Thus, familiarity with a particular face determines one’s ability to identify it across changes in image. [Citations removed for clarity]

Try yourself with this example from the paper:

Facelock presents a series of face arrays, where one face is familiar among unfamiliar ones. The user merely chooses the familiar face in each array.

The arrays can be presented in different orders with the faces in different positions. But it is our ability to recognize familiar faces in different images that provides the real security: Even if an attacker knows which faces we chose during one authentication, they are unlikely to recognize the same faces in different pictures.

Testing the theoryThe researchers ran two studies with over 400 participants. They included: account holders; attackers who were strangers; and attackers who were personal acquaintances. They tested at one-week and one-year delays.

Special Feature

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices that technology leaders can put to good use.

Account holders were asked to choose faces of Z-list celebrities: people famous in a narrow field, such as skiing or computer science that you knew; but not well-known to the public at large.

After one week, without writing anything down, 97.5 percent could authenticate their accounts, while zero-acquaintance attackers succeeded less than 1 percent of the time - and that only when the faces were well-known. Personal attackers only succeeded 6.6 percent of the time.

After a year a full 86 percent were able to authenticate. Amazing!

They also tested whether attackers given a clear view of the right faces could authenticate with different photos of the same faces. Only photos of distinctive people - i.e. bald with round glasses - were recognized in different photos.

No pictures of the Joker. Got it.

The Storage Bits take The ubiquity of "forgot password?" links is proof passwords don't work for humans. And the ease of dictionary attacks on encrypted passwords is proof they don't work well for computers either.

But just as we can recognize a friend's walk before we can see their faces, our pattern recognition skills mean that photos of people we know could be a powerful authentication tool: easy to remember; hard to hack.

Venture capitalists need to pump some money into this idea. Passwords suck and as security consciousness continues to rise - and it will thanks to Mr. Snowden - this will find a ready market.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.